This invention relates to wireless communications systems and, more particularly, to a method and system for fraud detection and supervision in a cellular radio telephone system.
Historical Perspective
The cellular mobile telephone system, a technology that took over forty years to conceive, develop and deploy, was launched in North America in the early 80s. The first American commercial cellular system went into operation in Chicago in 1983. By the late 1980s, cellular systems were operational in virtually every major metropolitan area in the United States. At present, the industry enjoys tremendous growth spurred by the decline in the costs of cellular phones and the fees for cellular service subscription. The future looks even brighter as the industry adopts new spectrum digital technologies to solve the problems of lack of system capacity and high operational costs (cost of infrastructure equipment per subscriber). The potential of these new technologies for providing evolutionary and invaluable communication services (e.g., data transmission for the "mobile office") is likely to attract millions of new subscribers.
Unfortunately, the booming cellular industry has also attracted alarming numbers of criminals and hackers who are draining profits from the industry and abusing the legitimate subscribers. Accurate estimates on the inflicted monetary loss are difficult to obtain. The consensus, however, is that the cost of cellular fraud may amount to billions of dollars for the entire industry if left unchecked. A general discussion of cellular fraud and the resultant revenue and service losses appears in the article entitled "Cellular Fraud" by Henry M. Kowalczyk in Cellular Business, dated March 1991, at 32-35. Further background on the subject can be found in the article entitled "Spoofers can Defraud Users and Carriers" by Geoffrey S. Goodfellow et al., in Personal Communications Technology dated November, 1985.
Historically, the development of some of the modern communication techniques, such as digital time division and spread spectrum radio transmission, have been heavily influenced by the security and privacy concerns of the early communication system designers, particularly in the military arena. By contrast, the early analog cellular telephone system designers did not consider security related concerns as important as the other aspects of the wireless communication, e.g., voice quality. At the same time, the regulating government authorities, e.g., the Federal Communications Commission (FCC), considered the airwaves, for the most part, to be "public property." The result is that, with some exceptions, everyone has enjoyed the right to tune to and pick up any radio signal. Encouraged by this freedom and the curiosity of the general public, an "eavesdropping" industry has emerged marketing openly a wide range of scanners that can monitor the airwaves.
However, as more and more cellular systems were deployed and the subscriber base grew, concerns over the lack of security measures in the existing analog cellular telephone systems began to surface. These concerns have centered not only on the lack of voice privacy, but also on the widespread ability to steal cellular service. In recent years, the industry has witnessed a significant increase in the number of mobile stations gaining access to cellular services by illegally identifying themselves as legitimate subscribers. These illegal activities are possible, in large part, due to certain limitations of existing cellular systems which are best understood after a brief description of the structure and operation of a typical cellular system.
Typical Cellular System
Conventional cellular phone systems are implemented by dividing the system service area into physical cells. Typically, each cell may be of a size from a few city blocks to 30 miles in radius. Each cell is served by a dedicated base station which communicates with the system through an exchange known as a mobile switching center (MSC). Calls are made to and received from the system by individual mobile stations (portable, transportable or vehicular radio telephone units) via these base stations. As each individual mobile station moves from cell to cell, or "roams" from system to system, it is served by the particular base station which covers the cell in which the mobile station is then located. Each of the base stations in the system has at least one dedicated control channel through which the system coordinates service. The other radio channels at the base station are used for voice conversations. Each of the control and voice channels is full-duplex (two-way) in nature and consists of a forward frequency channel from the base station to the mobile station and a reverse frequency channel from the mobile station to the base station.
In order to route incoming calls to a mobile station, the location of the mobile station must be known to the system. To facilitate the locating of mobile stations, a cellular phone system service area may be divided into "location areas" each of which consists of one or more cells. A cellular phone system tracks the location of the mobile station in any location area through the process of "registration." In registration, a mobile station transmits a registration request message on the reverse control channel to which it has tuned (generally that of the base station nearest to its location). If the registration request is accepted, the base station will transmit a registration confirmation message on the forward control channel to the mobile station. This confirmation message confirms that the system has registered the mobile station in the location area containing the cell which that base station serves. Registration can be either time-based or location-based.
Time-based or periodic registration occurs independently of other activities of the mobile station and is performed periodically at predefined time intervals. The system periodically transmits certain registration time constants in an overhead message train (OMT) on the forward control channels of the base stations serving the cells in which the mobile units happen to be located. The mobile units then transmit registration request messages to the system, as they move about the system, at time periods calculated by the mobile station according to these time constants. The registration request message is received by the system at the base station serving the cell in which a particular mobile unit is located at the time of transmission. Upon receipt of the registration request message, the system registers that particular mobile in the location area containing the cell of the base station which received the registration request, and that base station will transmit a registration confirmation message back to the mobile station.
Location-based registration occurs as a result of a mobile station moving from one location area to another and/or from one system area to another. Each base station will periodically transmit in the OMT data identifying the location area and/or system in which the base station is located. A mobile station periodically scans the control channels as it moves throughout the system and, by tuning to the control channel with the strongest signal strength, receives the location area and/or system identifying data for the location area and/or system in which it is then located. The mobile station compares the latest received location area and/or system identifying data with data in its memory identifying the last location area and/or system from which it received a registration confirmation message. If the corresponding sets of identifying data match, the mobile is located in the location area and/or system in which it is currently registered. However, if the mobile station has moved to a new location area or system and, hence, the sets of data do not match, the mobile will transmit a registration request message which is received at the base station serving the cell contained in the new location area and/or system in which it is now located. The system will then register the mobile station in this new location area and/or system and send a registration confirmation to the mobile station.
The mobile station can access the system to make a call at any time by transmitting an originating call access request. The call access request is received by the base station serving the cell in which the mobile station is then located. The system will then register the mobile station in the relevant location area (i.e., call originations are treated like registrations for location identification purposes) and transmit an initial voice channel designation message (IVCD) for an analog voice channel, or an initial digital traffic channel message (IDTC) for a digital voice channel, to assign the mobile to an available voice channel. When the system receives an incoming call for a mobile station, the system will send a paging message over the control channels of the location area in which the mobile is registered. The mobile responds by transmitting a page response message back to the system. Upon receipt of the page response message from the mobile, the system will assign an available voice channel to the mobile by transmitting an IVCD or IDTC message.
Subscriber Identification and Validation
In current analog systems, several information elements are used to identify and validate a legitimate subscriber. These elements include the mobile identification number (MIN), which identifies the service subscription, and the electronic serial number (ESN), which identifies the mobile station. In the United States, the MIN is a digital representation of the area code and directory telephone number of the mobile subscriber (i.e., the MIN is a digital representation of NPA/NXX-XXXX, where NPA is a 3-digit number identifying the numbering plan area in which the cellular system is located, NXX is a 3-digit number identifying the cellular operator and the mobile exchange, and XXXX is a 4-digit number which identifies an individual mobile subscriber). The MIN is assigned by the service provider (cellular operator) and is usually programmed into a mobile station either when purchased by the original user or when sold to another user. The ESN is supplied by the mobile manufacturer and is intended to uniquely identify a mobile station to any cellular system and to allow the automatic detection of stolen mobiles for which service can be denied permanently. According to the analog air interface industry standard known as EIA-553, the ESN must be "factory-set and not readily alterable in the field." Furthermore, the circuitry that provides the ESN must be isolated so that it is tamper-proof and any attempt to alter the ESN circuitry should render the mobile inoperative.
Besides the MIN and ESN, each mobile station is also identified by a station class mark (SCM) which designates the transmit power class, mode and bandwidth for the mobile station. Mobile stations in different power classes (portable, transportable or vehicular) will transmit at one of several specified power levels within different output power ranges (0.6, 1.6 or 4.0 Watts). The transmit power level within a given range can be increased or decreased by a power change command from the base station. Furthermore, some mobile stations have the ability to operate in a "discontinuous" transmission (DTX) mode in which they can switch autonomously between two transmitter power level states ("DTX high" and "DTX low"). In addition, some mobile stations are set to operate within only the "basic" frequency range initially allocated to cellular systems while others are also set to operate in the "extended" frequency range which was later allocated. Like the MIN and ESN, the relevant SCM information is stored in each mobile station.
User authorization for cellular service is usually performed at every system access (e.g., registration request, call origination or page response) by a mobile station. When making an access, the mobile station forwards the MIN, ESN and SCM to the system. Each exchange maintains a "white list" containing the MIN/ESN pairs of the valid subscribers and a "black list" containing the ESNs of stolen or otherwise unauthorized mobile stations. The system validates the received MIN to ensure that it belongs to a known subscriber and compares the received ESN with the one stored in the system in association with the MIN. If these validations are successful, the user is considered legitimate and the access is accepted. Service is then provided and controlled according to the received SCM information.
Cellular Fraud
Unauthorized access to a cellular system is possible because of the ability to fraudulently obtain or generate mobile identification information (MIN/ESN) which is then used to "fool" the system into providing service. There are many ways in which valid MIN/ESN information can fall into the hands of a cellular service thief. Since the MIN/ESN is transmitted over the air by each mobile unit at access, it is easily accessible to anyone with the proper scanning equipment. In addition to radio interception, there are much simpler means to obtain the identification information. For example, there are reports of off-the-shelf ESN chips, ESN bulletin boards, and of employees of cellular service shops, who have access to the MIN/ESN information, selling this information.
The tools of the trade for the cellular thief may also vary. Some of the mobile stations being sold today do not comply with the tamper-proof requirement for ESN and, consequently, these mobiles can be easily programmed with a new ESN (there is no tamper-proof requirement for MIN and, hence, all mobile stations are easily programmed with a new MIN). There are also reports of so-called "doctored" phones that are programmed to either automatically scan the reverse control channel and capture the identification information, or to use a different MIN/ESN identity at every access. Other reports have described "cellular cache boxes" operating on computers which are automating fraud.
Fraud control solutions based on encryption and authentication schemes are being introduced for the next generation "dual-model" (combined analog and digital) systems as specified in the industry standard known as IS-54. Similar functionality is to be supported by a revision of the EIA-553 standard for analog systems. For the existing analog mobile station population, a number of security measures have been used to counteract the problem of unauthorized access. These measures have had varying degrees of success depending on the form of fraud in question. To date, the following fraud techniques have been identified: subscription fraud, roaming fraud, tumbling fraud, cloning fraud, and channel grabbing (or hijacking) fraud.
Subscription Fraud
Subscription fraud is one of the earliest forms of fraud. The perpetrator obtains a service subscription using false personal identification information (fake name, address, etc.). This form of fraud is discovered when carriers fail to receive payments for the services. Although this form of fraud is most difficult to detect, the solution is rather simple. Cellular carriers and/or their sales agents can authenticate subscriber identity prior to issuance of subscription.
Roaming Fraud
Roaming fraud was made possible by the roaming agreements between cellular carriers operating different systems. These agreements allow a subscriber to roam outside of his/her subscription ("home") area and conveniently receive services in a cooperating ("visited" or "serving") system area. In order to receive service in the visited area, each subscriber qualifying under a roaming agreement was issued a temporary roaming number from the number series used in the visited area. Callers wishing to reach the subscriber while roaming in the visited area could dial the temporary roaming number and be connected to the roamer by the exchange in the visited system. Calling privileges were generally made available to the roamer after placing his first call in the visited area. This first call was usually routed to an operator who verified the eligibility of the roamer to receive service (e.g., roaming number, credit card number, etc.).
A fraudulent mobile subscriber could obtain roamer service by illegally obtaining the roaming number of a legitimate subscriber. Armed with this information, the fraud perpetrator could, for example, program his mobile station with the roaming number, have a call placed to this number and a voice channel assigned to the mobile station, and then issue a third party service request over the voice channel requesting connection to a desired phone number. To the visited system, the fraudulent subscriber appeared as a legitimate roamer from another system. Because of the lack of intersystem communication facilities between the visited system and the home system of the legitimate roamer, information concerning roaming subscribers (e.g., their MIN/ESN identity) was not readily available to the visited system. Lacking a proper validation means, the serving system accepted all roamer calls so as not to deny service to legitimate roaming subscribers. Again, this form of fraud was normally discovered only when the legitimate subscriber detected discrepancies in the service bills.
The industry has successfully reduced the roaming type of fraud to a manageable level by installing subscriber identification validation systems, such as a central clearing house, and updating the switching systems (MSCs) with instantaneous roamer validation facilities. The early validation systems, however, were too slow (i.e., did not operate on a "real time" basis). Consequently, and in order not to risk denial of service to a legitimate subscriber, the strategy used was to accept the first call from a roamer and then initiate an identification verification process, either through the clearing house or some other means (e.g., the home exchange). If the validation fails then the associated ESN could be placed on a "barring list" to deny access permanently. Otherwise, all subsequent accesses associated with that ESN were accepted without contention.
These anti-roaming-fraud systems typically worked as follows: On call origination from a roamer, the serving mobile exchange sent (e.g., by X.25 signalling) the MIN/ESN pair received from the mobile station to the home exchange of the roamer or to a clearing house and requested verification. To avoid denying service to a valid roamer, the MIN/ESN pair was initially assumed to be valid and this first call from the roamer was allowed to proceed pending the outcome of the verification request. The home exchange or the clearing house compared the MIN/ESN pair received from the serving exchange to a list of valid MIN/ESN pairs and reported to the serving exchange. If the MIN/ESN pair was not verified by the home exchange or the clearing house, as applicable, the serving exchange disconnected any call-in-progress and blacklisted the corresponding ESN (blacklisting the corresponding MIN for other than a short period of time, e.g., a few hours, would have risked denial of service to the valid MIN holder).
Because of signalling and processing time delays in obtaining the reply to the verification request, however, a fraudulent roamer could enjoy several minutes or, in some instances/ several hours of free calling before being disconnected. Newer cellular systems will support so-called "automatic roaming" (no operator intervention) and will be connected with "real time" signalling links operating according to a common signalling protocol, e.g., S. S.7 or IS-41 protocol. In these systems, the validation of a roamer MIN/ESN through the home exchange is virtually instantaneous.
Tumbling Fraud
Tumbling fraud is actually an advanced form of the roamer fraud technology that emerged to circumvent the roamer fraud control solutions deployed by the switching systems. The tumbling concept took advantage of the "post-first-call" validation limitation by changing (tumbling) the ESN, the MIN, or both the ESN and MIN after placing one or more successful roamer calls with the first MIN/ESN combination. A fraudulent mobile subscriber using MIN/ESN tumbling selected a roamer MIN (a MIN in which the NPA/NXX belonged to a carrier which had a roaming agreement with the local carrier) and a random ESN to generate a MIN/ESN pair and make at least one call until the selected ESN value is barred through verification, at which time another MIN or ESN value was selected and another call could be made.
A typical MIN/ESN tumbling scenario would proceed as follows: A perpetrator would first place a successful roamer call. Since it took some time for the serving system to validate the roamer identity, the perpetrator could escape with at least a few free calls. If the roamer validation was successful, the roamer identity could be used repeatedly until service was denied. At that point, the perpetrator would request services by changing the MIN. If the ESN becomes barred, the perpetrator would change to another ESN and then another MIN and so on. The MIN/ESN tumbler, therefore, was capable of changing its identity at every access, making every call look like a first call from a roamer.
Initial solutions to tumbling fraud included removing abused NPA/NXX combinations from system use, pre-call validating of ESN for format conformation, diverting roamer calls to an operator (0+dialling), and even eliminating roaming agreements. As a long term solution, the industry has sought to expedite the exchange of subscriber and call information between switching systems through the development of a common intersystem communication protocol, such as that specified in the industry standard known as IS-41.
Cloning Fraud
Cloning fraud occurs when a perpetrator programs a duplicated mobile station with the identity of a legitimate mobile station. Service requests from this cloned mobile station will pass the user authorization procedures of the current analog system. Fraudulent mobiles that are permanently programmed with a particular identification, or that have the capability to automatically adopt any identity when making calls (i.e., the so-called "doctored" phones), fall into this fraud category.
It should be observed that, from a system point of view, when a mobile illegally gains access, regardless of the specific fraud technique being used, the mobile has adopted the identity of a valid subscriber. Thus, all of these fraudulent mobiles could be considered clones. At present, there is no known switch-based solution for this form of fraud.
Hijacking Fraud
Hijacking or channel grabbing fraud occurs when a perpetrator "grabs" a voice channel which is being used for a conversation involving a legitimate subscriber. The hijacker usually scans the frequencies in the cellular system to find an active voice channel being used for a call by a valid mobile station. The hijacker then tunes to this voice channel and "overpowers" the valid mobile station by increasing the transmit output power of the hijacker's mobile station. At this point, the hijacker has effectively taken over the voice communication with the base station and can issue a third party service request to obtain a connection to a desired phone number (this is normally done by pressing a button on the mobile station keypad to send a hook flash during a call). The base station will interrupt the call and connect the hijacker to the desired number (meanwhile, the legitimate mobile subscriber terminates the prior call because of the interruption). Again, there is no known switch-based solution for this form of fraud.
Fraud Summary
From the foregoing discussion, it can be seen that there are several dimensions to the fraud problem: The availability of mobile identification information, the mobile manufacturers' lack of compliance with the security related standards, the switching systems' inability to exchange subscriber/call related information, and the issuance of subscriptions without sufficient credit/identity checks. From a technology standpoint, long term solutions to these problems are not beyond reach. Having the mobile manufacturers comply with the security requirements would make it difficult, if not impossible, to alter a mobile's identity in the field. Encryption and authentication schemes, such as the one used in the dual-mode standard (IS-54), will make it difficult to access the mobile's identification information off the airwaves. The current analog specification (EIA-553) is also being revised to include security related functions. Furthermore, with the implementation of IS-41, dissimilar systems should be able to exchange subscriber/call related information and validate subscriber authenticity. In addition, future mobile communication systems are likely to become "more intelligent" (i.e., enhanced with anti-fraud measures) to detect, deter and prevent fraud.
Today, however, there are over fifteen million analog mobile stations in North America alone. The long term solutions mentioned above will bear fruit only when the mobile stations are also modified to adhere to the technical requirements of these solutions. Thus, while newer mobile stations become more secure, an interim switch-based solution is required to counter the threat of unauthorized accesses by the existing analog mobile population, while avoiding the need to recall and upgrade these mobiles. The present invention provides this solution by detecting anomalies in subscriber behavior which may indicate fraud. The indications of fraud are reported to the operator and repeated indications of fraud may result in the denial of service requests from the suspected fraudulent mobile stations.